The PageUp hack shows how people and companies can be powerless in the face of a data breach
PageUp says its customers are returning following the job application data breach.
However, major companies, such as the Commonwealth Bank and NAB, are still not using the recruitment platform provider.
The hack highlights the fact that the Notifiable Data Breaches amendment only requires companies to notify those affected. There’s no remediation required.
The PageUp hack has affected hundreds of thousands of Australians who entrusted their personal information to a corporate website when applying for a job online.
And yet there is little those affected, the individuals who have had their information exposed, can do other than take a few security measures.
Job seekers have had an apology or two but there is no come-back, no redress under current regulations.
The Notifiable Data Breaches amendment introduced in February this year, through which Australia found out about the hack, only requires the affected parties be notified of the loss of personal data likely to result in serious harm.
People can take remedial action, such as talk to IDCARE, the government’s identity and cyber security service for advice on recovering their identity. They can also complete a Commonwealth victim’s certificate to assist in the recovery of their identity for use with government services.
But that’s it. The only other avenue, if anyone affected feels aggrieved, is to take civil action in the courts.
“We sincerely regret some data may be at risk,” says PageUp. This includes names, street addresses, email addresses, and telephone numbers.
PageUp also says it can’t be sure that those responsible for the breach even downloaded data.
And the extent of the problem remains unknown. The Melbourne-based recruitment platform provider PageUp, and the Office of the Australian Information Commissioner, to which the incident had to be reported under the new Notifiable Data Breaches regime, have refused to provide even aggregated data to show how many companies and people have been affected.
However, the number of job seekers affected, judging by the major companies and government bodies whose recruitment sites hit by the data breach, easily runs into the hundreds of thousands.
We only have a clue as to the number of PageUp clients because of a comment by Australian Cyber Security Centre Head, Alastair MacGibbon, who told a function that the company has “a couple of hundred corporate customers including government”.
The company again today would not reveal how many records were exposed nor the number of people affected.
The breach apparently occurred during a coordinated attack in late May on PageUp’s IT systems in Australia, Singapore and the UK. PageUp notified customers on June 1.
A long list of large companies and government bodies immediately cut links with PageUp.
Today PageUp, a $35 million turnover company started 20 years ago, says customers are returning.
“The majority of customers have returned to using the recruitment module, and many continued to use the platform without disruption throughout,” says Karen Cariss, PageUp CEO and Co-Founder.
“I have been heartened by the messages of support from our long-time customers.”
However, the Commonwealth Bank, Australia’s largest company by market capitalisation, was this week still emailing job applicants to say there data was at risk.
The CBA is still on a manual recruitment process.
“PageUp has not confirmed what Commonwealth Bank data has been affected,” says a spokesperson for the bank. “However, protecting data is one of our most important responsibilities, so like many organisations we suspended our use of PageUp’s systems and let people know the type of information may have been involved and the steps they could take to protect their personal information.”
The NAB also has still not turned its recruitment site back on. And other major companies are still directing job seekers to LinkedIn and Seek.
Andrew Johnson, Chief Executive Officer at ACS (Australian Computer Society), says his organisation has been supportive of Notifiable Data Breaches as a step in the right direction for privacy protection in Australia.
“This increase in transparency is forcing more Australian companies to think about their cyber security and privacy practices, although many organisations still have improvements to make,” he says.
“Individuals who experience identity theft as a result of a data breach can potentially engage in civil action against a company for failing their duty of care, either individually or as part of a class action.”
Law firms, including Centennial Lawyers, are reportedly looking at a class against in the PageUp case. One of the companies whose job applicant details were put at risk is law firm Maurice Blackburn, known for its high profile class actions. It has, however, said it is not involved in this matter.
The consumer watchdog, the ACCC, is taking a close interest in the impact of digital platforms on society.
“The question of how we approach the proliferation of digital platforms, and how they collect and manage our data, is one of the defining questions of our age,” says ACCC Chair Rod Sims.
The ACCC is conducting an inquiry into digital platforms and their disruptive effect.
“We do not believe that consumers are generally well-informed about how digital platforms collect and use their data,” says Sims.
“The issue is not just about the wording of a privacy policy. We will be also examining whether users appreciate the value of the data they are providing to these platforms, both when they are using these platforms, and also when they are not. In other words, are users ‘selling’ their data too cheaply in exchange for convenience?
IMAGE:
Photo: Harold Cunningham/ Getty Images.
For more on this story go to: https://www.businessinsider.com.au/pageup-hack-jobs-data-breach-regulations-2018-7